Re: SE-PostgreSQL Specifications

Sam Mason wrote:
> On Sat, Jul 25, 2009 at 09:16:47AM +0900, KaiGai Kohei wrote:
>> Sam Mason wrote:
>>> The show_credit() function in this section would seem to leak authority
>>> as well; it seems possible to determine if customers exist that
>>> otherwise may otherwise hidden.  For example, imagine we have a row
>>> in the customer table with cid=1 whose security label would normally
>>> prevent.  We can perform:
>>>
>>>  SELECT show_credit(1);
>>>
>>> and, as far as I can tell, this call would succeed.
>> This example shows that confined client cannot read credit card number
>> without using trusted procedure, but trusted procedure returns masked one.
>> It does not intend to hide existence of entries within customer table.
> 
> This would seem to imply that all user defined trusted code has to
> perform its own permission checks.  How is MAC any different from DAC in
> the presence of code such as:
> 
> CREATE OR REPLACE FUNCTION show_customers () RETURNS SETOF RECORD
>     LANGUAGE 'sql'
>     SECURITY_LABEL = 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'
>   AS 'SELECT * FROM customer';
> 
> (I hope I've modified the example correctly!)

In this case, confined users cannot create a function labeled as
'system_u:object_r:sepgsql_trusted_proc_exec_t:s0', because it is
controlled by db_procedure:{create} permission.

Confined user can create a function with "user_sepgsql_proc_exec_t"
(which is the default one for confined users), but it is not a trusted procedure,
so the "SELECT * FROM customer" is executed with confined user's privileges as is,
then it will be failed due to the lack of permission on the customer.credit.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>